WO2022039012A1

WO2022039012A1 - Document generation device, communication terminal, relay terminal, and document generation system

Info

Publication number: WO2022039012A1
Application number: PCT/JP2021/028626
Authority: WO
Inventors: 克彦近藤; ジョンソンサードレイモンドピー
Original assignee: Ｔｅｓｎｏｌｏｇｙ株式会社
Priority date: 2020-08-21
Filing date: 2021-08-02
Publication date: 2022-02-24
Also published as: EP4195141A1; TW202215349A; JPWO2022039012A1; US20230196006A1; KR20230057373A; EP4195141A4

Abstract

This document generation device is provided with a reception unit that receives from a user terminal data assigned a tag, an inspection unit that refers to a first filter indicating a tag necessary for a document of a predetermined format to determine whether the tag assigned to the received data matches the first filter, and a document generation unit that generates a document on the basis of the data matching the first filter.

Description

Document generator, communication terminal, relay terminal and document generation system

The present invention relates to a technique for managing personal information.

In recent years, interest in "Digital transformation (DX: Digital transformation)" has been increasing rapidly. From a corporate perspective, digital transformation means winning the business by flexibly transforming one's own business model while agilely grasping the needs of society by utilizing network technology.

However, many of the existing business systems adopted by companies are often over-optimized for each business division, and such legacy systems hinder the use of data across the entire company. There is a sense of crisis that legacy systems can rather be a burden to businesses.

Japanese Patent No. 5360157

It has also been pointed out that the business strategy of companies collecting a large amount of information and enclosing it to provide their own services is a deadlock and harmful effects. First, there is a deep-rooted opposition to the information dominance of giant digital platformers. Digital platformers secure their superiority by collecting vast amounts of personal information and using it exclusively. Individuals do not have the power to negotiate individually with digital platformers and are at risk of unilaterally changing various terms regarding the use of personal information. Due to this heightened awareness of problems, each country is tightening regulations on the use of personal information. The EU's General Data Protection Regulation (GDPR) is a typical example.

There is also an energy problem. In the IoT era where things and the Internet are connected, it is predicted that huge power demand will occur for data management. The world's annual electricity consumption in 2016 is said to be about 23,000 TWH, but it is said that this will increase more than 10 times in 2040. This is because the number of IoT devices will increase dramatically, and the huge number of IoT devices will operate on the premise of the cloud, which will boost the power consumption of communication networks and data centers.

The present invention is an invention completed in view of the above-mentioned problem recognition, and its main purpose is to propose an individual-based data management technique.

The document generator according to an embodiment of the present invention refers to a receiving unit that receives tagged data from an external terminal and a first filter that indicates a tag required for a document of a predetermined format, and obtains the received data. It includes an inspection unit that determines whether or not the tag to be assigned matches the first filter, and a document generation unit that generates a document based on data that matches the first filter.

The communication terminal in one embodiment of the present invention is connected to a document generator.
This communication terminal has a data storage unit that stores data and tags in association with each other, a filter setting unit that sets a second filter that indicates a tag of data that can be transmitted to the outside according to input from the user, and a second filter. Refers to, and includes a transmission unit that selects the data tagged with the tag included in the second filter and transmits it to the document generator.
When the missing tag is reset to the second filter after the missing tag is notified from the document generator, the transmission unit transmits the data corresponding to the missing tag to the document generator.

A communication terminal according to another aspect of the present invention includes a receiving unit that receives data tagged from each of a plurality of servers, and a data management unit that associates the received data with a tag and stores it in a built-in storage device. , Equipped with.
When the data management unit receives the first data tagged with the first tag from the first server and receives the first data tagged with the second tag from the second server, the data management unit receives the first data tagged with the second tag. The first tag and the second tag are associated with the first data and stored.

The relay terminal in one embodiment of the present invention is connected to a document generator.
The relay terminal includes an input unit that receives data input from the user, a reception unit that receives the first filter from the document generator, and a data acquisition unit that reads data tagged from the information carrier owned by the user. , The inspection unit that determines whether the tag attached to the read data matches the first filter, and the read data that matches the first filter is selected and transmitted to the document generator. It is equipped with a transmitter.
When the data corresponding to the missing tag is input after the document generator notifies the missing tag, the transmitting unit additionally transmits the data corresponding to the missing tag to the document generating device.

The document generation system in one embodiment of the present invention includes a communication terminal and a document generation device.
The communication terminal has a data storage unit that stores data and tags in association with each other, a filter setting unit that sets a second filter that indicates a tag of data that can be transmitted to the outside according to input from the user, and a second filter. It includes a transmission unit that refers to and selects data tagged with a tag included in the second filter when the document generation device is accessed and transmits the data to the document generation device.
The document generator refers to a receiving unit that receives tagged data from a communication terminal and a first filter that indicates a tag required for a document of a predetermined format, and the tag attached to the received data is the first. An inspection unit that determines whether or not the data matches one filter, a document generation unit that generates a document based on data that matches the first filter, and some tags among a plurality of tags included in the first filter. It is provided with a notification unit for notifying the missing tag when the data associated with is insufficient.
When the missing tag is reset to the second filter after the missing tag is notified from the document generating device, the transmitting unit of the communication terminal transmits the data corresponding to the missing tag to the document generating device.
When the data corresponding to the missing tag is received, the document generation unit of the document generation device generates a document including the received data.

According to the present invention, it becomes easy to realize data management centered on an individual.

It is a conceptual diagram for demonstrating the cooperation of a DI engine. It is a conceptual diagram of data exchange by government offices, companies, and individuals. It is a hardware block diagram of a document generation system. It is a functional block diagram of a document generator. It is a functional block diagram of a user terminal. It is a schematic diagram for demonstrating the method of aggregating the personal information distributed to a plurality of file servers in a user terminal. It is a schematic diagram for demonstrating the output control by the 2nd filter. This is an example of the format of an official document issued by a document generator. It is a data structure diagram of the document definition table. It is a data structure diagram of issuance history information. It is a schematic diagram for demonstrating the input control by the 1st filter. It is a flowchart which shows the official document issuance process of the document generation apparatus in 2nd Embodiment. It is a flowchart which shows the processing process when the user terminal is notified of the missing tag. It is a screen view of a data replenishment screen. It is a sequence diagram which shows the processing process at the time of authenticity confirmation of an official document. It is a hardware block diagram of the document generation system in 3rd Embodiment. It is a functional block diagram of a relay terminal. It is a schematic diagram for demonstrating the input / output control of personal information in 3rd Embodiment. It is a flowchart which shows the official document issuance process of the relay terminal in 3rd Embodiment.

Many of the existing business systems are built for each business division and each company and are optimized for specific business. Some of the huge, complex, and long-established business systems have been difficult to radically refurbish or expand. For the same reason, it may be difficult to link or integrate multiple business systems.

In addition, the service provision system of a single company becomes huge, and monopolizing so-called big data has a risk of inviting a "surveillance society". Furthermore, sucking a huge amount of data from a huge number of IoT devices to a server group (cloud) increases the load and power consumption associated with communication. In particular, the higher the frequency of data collection, the more likely it is that these problems will become apparent.

In this embodiment, personal information is managed by a DI engine (Digital Intelligence Engine) associated with an individual. Details will be described later, but instead of the service provider such as a company collecting personal information once and the user (service beneficiary) accessing the service provider's system to receive the service, the user uses the DI engine to receive personal information. Is managed individually, and the service is provided by the service provider receiving some personal information necessary for the service from the personal information of the user.

The DI engine is mounted as a chip equipped with an MPU (Micro-Processor Unit) (hereinafter referred to as "DI chip"). The DI chip includes an MPU, a volatile memory and a non-volatile memory, and personal information is stored in the non-volatile memory. The DI engine is, in a narrow sense, lightweight application software executed by the MPU of the DI chip, and in a broad sense, it is a general term for the functions exhibited by the entire DI chip. In the present embodiment, the DI engine means the latter unless otherwise specified.

The DI chip moves with the user. It is desirable that the DI chip is built in, for example, a smartphone owned by the user or a card owned by the user. It is desirable that the DI engine has a concierge function for the user in addition to a data storage function and an output function.

The DI engine stores the user's personal information. Personal information is encrypted and stored in the DI engine, and the server cannot freely collect personal information. The server may store some personal information, but it is the DI engine that can store personal information freely and without restrictions. The server receives some personal information from the DI engine to the extent permitted by the DI engine when providing the service.

For example, the server S1 receives a part of personal information X1 from the DI engine of the user P1. Another server S2 receives a part of personal information X2 from the DI engine of the user P1. Personal information X1 and personal information X2 may have completely different contents, and some of them may be common. If there is an intersection XC of the personal information X1 and the personal information X2, the server S1 and the server S2 can cooperate with each other by using the intersection XC as a key.

The user on the service receiving side, not the service providing side, has "data sovereignty". Since the DI engine outputs only personal information permitted by the user, it is easy to protect privacy. The DI engine encrypts personal information and stores it on the DI chip. The service provider does not provide the service after collecting an endlessly huge amount of personal information once, but provides the service by receiving the necessary personal information from the DI engine as appropriate.

DI chip application software is lightweight and size-saving software. At this stage, it is expected to be within 0.2MB. Even if it has a concierge function, the processing load is small because various processes are basically performed based on the personal information stored in the DI engine. Since it does not assume cloud computing, the communication load is low and power consumption can be suppressed.

FIG. 1 is a conceptual diagram for explaining the cooperation of DI engines.
The DI engine collects personal data. The user himself / herself may register personal information in the DI engine, or the DI engine may collect personal information from an external device such as a smartphone. For example, the DI engine of user P2 stores personal information that this user P2 is "Makoto Ihara" who is "from Saitama" and ate "tomato" on October 5, 2020. User P2 takes a picture of tomatoes with a smartphone when eating tomatoes. The DI engine may determine that the user P2 ate the tomato when the smartphone photographed the tomato. Alternatively, the user P2 himself may register the personal information in the DI engine. The method of registering personal information in the DI engine is arbitrary.

A personal information management system as a whole is formed by exchanging personal information between multiple DI engines. For example, the user P1 may be set to be able to output (publicize) only a part of personal information such as "male" and "single". When the user P2 communicates with the user P1 (DI engine), the user P1 can know that the user P1 is a single man. On the other hand, if the user P1 keeps the annual income information of "annual income of 5 million yen" private, the annual income information is not notified to the user P2. The user P1 may disclose the annual income information to the user P3. Each user can set personal information that can be disclosed according to the other party.

Information is physically carried by the DI engine. Since the DI engine of the user P1 provides personal information to the DI engine of the user P2, the DI engine of the user P2 can make a proposal suitable for the relationship between the user P1 and the user P2. For example, even if the user P1 and the user P2 meet for the first time, a common topic can be proposed. In the case of the above example, if the user P1 can know that the user P2 is from Saitama, he / she can grasp the trigger of the story from the story of Saitama prefecture. Since the DI engine stores personal information, it is thought that the burden of information management in the data center will be reduced.

The DI engine can narrow down the personal information that may be provided to the outside from the huge amount of personal information that it holds. It is also possible to narrow down the types of personal information that you want to receive from the personal information supplied by others. In the following, the conventional information management system that collects and utilizes data in the server (central) is called "central management system", and the DI engine stores the data and various processes are performed based on the data supplied from the DI engine. The information management system that executes the above is called a "distributed management system".

In the case of a centrally managed system, the company C1 that provides a certain service collects data independently in its own database DB1. On the other hand, the company C2 that provides another service also collects data independently in its own database DB2. Since each of them collects data independently and greedily, most of the data stored in the database DB1 and the data stored in the database DB2 overlap. As a result, the same data will be duplicated and stored in many databases. Since the format of the database is different for each company, it is not expandable and it is difficult to link multiple databases.

On the other hand, in the distributed management type system, since it is a method of linking based on the personal information received from the DI engine, the company does not need to have a database in which the requirements are properly defined. The company provides the service by receiving the necessary data from the DI engine with user approval. It is no longer necessary to constantly secure a large amount of personal information.

For example, as shown in FIG. 1, the personal information stored in the DI engine is diverse. The DI engine of the user P1 contains personal information regarding the "annual income", but the DI engine of the user P2 does not include the "annual income" information. The DI engine stores miscellaneous pairs of items (eg, annual income) and data (eg, 5 million yen). It is also possible to connect a plurality of personal information such as "Eat: Tomato" and "Date: October 5, 2020" of user P2. If user P1 wants to know what user P2 has recently eaten and is willing to provide information that user P2 "eats tomatoes on October 5, 2020". , User P1 can know that User P2 ate tomatoes on October 5, 2020. If the user P1 is a cook, the DI engine of the user P1 will use this information as "user P2 can eat tomatoes" or "user P2 may like tomatoes". Can be judged. As a result, the DI engine of the user P1 may determine that the tomato dish should be served to the user P2.

According to the information management system in this embodiment, by managing personal information with a DI engine, it is possible to suppress duplicate storage of the same data in a database. In addition, it is possible to reduce input errors and copy errors when the operator registers personal information in the database. This is because the service provider obtains personal information from the DI engine as needed and processes it as needed. In addition, by managing personal information with a DI engine, the risk of large-scale information leakage is reduced.

The conventional centralized management system focuses on capturing business opportunities by proposing appropriate services to individuals by statistically processing a large amount of personal information. For example, when a user purchases a product A, the person who purchased the product A often purchases the product B, and proposes the product B to this user.

On the other hand, the distributed management system in this embodiment can provide a service that suits individual values by analyzing personal information obtained from the DI engine. For example, when a user enters a store and finds that it has been some time since the user bought the toilet paper, the DI engine may offer to buy the toilet paper.

In addition, for the new coronavirus (severe acute respiratory syndrome coronavirus 2), it is a guideline for consultation that "fever of 37.5 degrees or higher continues for 4 days or longer". However, since the normal heat temperature varies depending on the individual, it is considered desirable to set the reference value to 37.5 degrees or higher for the user who originally has a high normal heat temperature. The DI engine may detect the user's body temperature and determine the necessity of consultation based on its own reference value.

The DI engine is the key to information management as a DMS (Data Management System). In addition, BMS (Battery Management System) manages the power supply of secondary batteries and the like used by each user. Manage personal information and energy by DMS and BMS. Further, an EMS (Energy Management System) is configured based on information obtained from a large number of DMS and BMS.

The MPU installed in the DI engine is not required to have that much processing power. The MPU may be a low-performance CPU (Central Processing Unit) or a GPU (Graphics Processing Unit). The MPU may be an FPGA (Field-Programmable Gate Array).

The DI engine may be installed in the database. In the conventional centralized system, when designing a database that stores a large amount of data, it is necessary to define strict requirements regarding the data structure. As a result, it took a lot of man-hours to integrate and change the database. As an application example of the distributed management type system in this embodiment, a DI engine may be mounted on the database. First, enter the data you want to register in the database (DI engine). The DI engine stores the data in the database as it is. When there is a data acquisition request from the database, the DI engine searches the database for the desired data and outputs it. The DI engine weights each data according to the frequency of use of the data. Specifically, the searchability of data can be improved by increasing the priority of frequently used data, for example, data such as name. According to such a control method, it is easy to input and acquire data by setting the importance (rating) of the data according to the actual usage state of the database without defining the requirements related to the data structure. Both sexes can be enhanced.

In addition, the DI engine may have a function of collecting words contained in academic literature, SNS (Social Networking Service), news articles, etc., and making a connection between them. For example, when the word W2 appears in the vicinity of the word W1 (for example, the same sentence and the same paragraph), it is assumed that the word W1 and the word W2 are related. By analyzing the strength of the relationship, the connection of information can be visualized. The strength of the association may be determined by applying a known technology such as Word2Vec.

It is also conceivable to statistically analyze the limited personal information obtained from the DI engine. For example, when the personal information "I bought the product A on a rainy day" is repeatedly acquired, it is possible to obtain the knowledge that the product A can be sold on a rainy day. Alternatively, if there is personal information that the user P1 bought the product A on a rainy day in the past, the POS terminal of the store may recommend the product A when the user P1 visits the store on a rainy day. Similarly, if information is obtained that shoplifters often buy product B first and then shoplift, it is possible to preferentially mark the person who chose product B.

Many patients forget to bring their medicine notebook. For this reason, there is a risk that the doctor will not be able to properly confirm the medicine intake when writing the prescription. The DI engine stores personal information about when and what medicine the user took or was prescribed. Physicians can more appropriately prescribe by simply obtaining information about the drug history from the DI engine. In addition, if personal information regarding the physical condition of the user can be obtained from the DI engine, it is possible to change the type and amount of the drug according to the physical condition.

The same concept may be expressed in different terms depending on the company or department. For example, in department E1, one concept X is called the term Y1, and in another department E2, the same concept X is called the term Y2. In this case, there is a possibility that the communication between the department E1 and the department E2 may be inconsistent. Here, the term group G1 associated with the term Y1 is extracted from the DI engine of the user of the department E1, and the term group G1 associated with the term Y2 is extracted from the DI engine of the user of the department E2. When the term group G1 and the term group G2 are similar, both DI engines can recognize that the term Y1 and the term Y2 correspond to the same or similar concepts.

First, after managing personal information by the DI engine, it is conceivable to manage or back up a part of personal information in small units such as family members. For example, assuming that the amount of information stored in the DI engine is M1, the user causes an edge server operated by the family to back up a part of personal information. The amount of personal information stored in the edge server may be about M1 × 0.1. According to such a control method, the user manages personal information with the DI engine and provides a part of personal information that can be shared by the family to the edge server.

Each member provides a part of personal information to a car owned by a family (a kind of edge server), so that the car may change the driving assist method according to the user.

Furthermore, some of the personal information may be provided as shared information to communities such as condominiums, schools, and workplaces. In this case as well, instead of providing personal information without restrictions, personal information may be provided only to information necessary and useful in the community, such as name, gender, and address. In this way, individuals manage personal information with the DI engine and provide personal information to families, companies, regions, nations, etc. in a limited manner, thereby protecting the sovereignty of data management and gaining from the community. It becomes easier to enjoy the convenience of being.

FIG. 2 is a conceptual diagram of data exchange by government offices, companies, and individuals.
For example, it is assumed that the government office has a database DB1 of My Number and a database DB2 of Juki Net (Basic Resident Register Network System). In order to integrate these two DBs, the data group of the database DB1 and the data group of the database DB2 are collectively input to the DI engine of the government office. Here, it is assumed that "name", "address", "my number", "age", and "occupation" are registered as personal information in the database DB1 in association with each other. Further, it is assumed that "name", "address", "residential number", "gender", "place of birth", and "presence / absence of passport" are registered as personal information in the database DB2. Since the "name" and "address" are common to the two databases, the two types of databases can be integrated by keying the two data "name" and "address". For example, specify "My Number", "Age", and "Occupation" corresponding to two types of data, "Name: Ichiro Sato" and "Address: Kamigamo Motoyama, Kita-ku, Kyoto City, Kyoto Prefecture", and use the same two types of data. Specify the associated "gender", "residential number", "place of birth", and "presence or absence of passport". "Name: Ichiro Sato""Address: Kamigamo Motoyama, Kita-ku, Kyoto City, Kyoto Prefecture""Mynumber""Age""Occupation""Gender""Jukinumber""Place of birth""Presence or absence of passport" If associated, the data of the database DB1 and the database DB2 can be integrated for the user P1 (name: Ichiro Sato). The same applies to other users.

Also, when the user P1 wants to obtain a resident's card from the local government, he / she provides the personal information (example: name and address) necessary for obtaining the resident's card from the DI engine to the government office. By receiving the limited personal information, the government office may create a resident's card and send the resident's card data to the mobile terminal of the user P1. The local government in charge of the resident's card issuance business does not need to manage data other than the data necessary for issuing the resident's card, for example, the work history of the user. The municipality manages only the official data that should be stored for the service, and other information necessary for the service may be obtained from the residents' DI engine as appropriate.

The company may also send product information or advertisements to the customer based on the personal information provided by the customer's DI engine. Even when multiple companies provide services to one customer, cooperation through the DI engine is possible. For example, when the user P1 provides the information that "I often ride in a car", the automobile manufacturer may propose a new car, or the city hall may propose a drive spot in the city. When the user P1 becomes interested in the proposed drive spot, an advertisement may be sent to the user P1 from a shop near the drive spot. The shop does not need to know the surname of user P1.

In the following, the method of collecting and utilizing personal information will be described separately from the first embodiment to the third embodiment.
In the first embodiment, a method of aggregating personal information (data) distributed in a plurality of file servers into a user terminal (communication terminal) will be described.
In the second embodiment, a method of issuing an official document by using personal information stored in a user terminal having a function of connecting to the Internet will be described.
In the third embodiment, a method of issuing an official document using personal information stored in a badge (information carrier) having no connection function with the Internet will be described.
Hereinafter, when the first to third embodiments are collectively referred to, or when no particular distinction is made, the present embodiment is referred to.

[First Embodiment]
FIG. 3 is a hardware configuration diagram of the document generation system 200.
The document generation system 200 includes a document generation device 100, a plurality of file servers 104, and a user terminal 300. The document generator 100, the file server 104, and the user terminal 300 are connected via the Internet 102. The user terminal 300 is a communication terminal owned by the user, and is assumed to be a laptop PC (Personal Computer), a tablet PC, a smartphone, or the like. In addition, the user terminal 300 may be a so-called wearable terminal such as a smart watch (wristwatch type mobile information terminal). The user terminal 300 in the present embodiment will be described as being a smartphone. The user terminal 300 is equipped with a DI engine. The user terminal 300 may be equipped with a DI chip, or application software that realizes a function as a DI engine may be installed in the user terminal 300.

The file server 104 is a database operated by a public institution or the like, and manages personal information of users. The operator of the file server 104 is assumed to be a local government, a government office, a company, an educational institution, a financial institution, or the like. Each institution manages user's personal information in its own format.

The document generation device 100 is a device for creating and issuing official documents. The document generator 100 in this embodiment is operated by an administrative agency. The document generation device 100 issues various official documents such as a resident's card, a book card, a copy of a family register, a driver's license, and a certificate of registered information.

The user registers the user ID and password in the document generator 100 in advance. The document generation device 100 confirms the identity of the user based on the user ID and password.

FIG. 4 is a functional block diagram of the document generator 100.
Each component of the document generator 100 is a hardware including a CPU (Central Processing Unit), a computing unit such as various co-processors, a storage device such as a memory and a storage, and a wired or wireless communication line connecting them. It is realized by hardware and software that is stored in a storage device and supplies processing instructions to a processor. The computer program may be composed of a device driver, an operating system, various application programs located on the upper layer thereof, and a library that provides common functions to these programs.
Each block described below shows a block for each function, not a configuration for each hardware. The same applies to the user terminal 300 of FIG. 5 and the relay terminal 400 of FIG. 7.

The document generation device 100 includes a communication unit 110, a data processing unit 112, and a data storage unit 114.
The communication unit 110 is in charge of communication processing with the user terminal 300, the relay terminal 400 (described later), and the file server 104 via the Internet 102. The data storage unit 114 stores various information. The data processing unit 112 executes various processes based on the data acquired by the communication unit 110 and the data stored in the data storage unit 114. The data processing unit 112 also functions as an interface between the communication unit 110 and the data storage unit 114.

The communication unit 110 includes a transmission unit 118 that transmits various information to an external device such as a user terminal 300, and a reception unit 116 that receives various information from the external device.
The transmission unit 118 includes a notification unit 120 that notifies the user terminal 300 of the missing data when the data necessary for issuing a document is missing.

The data processing unit 112 includes an inspection unit 122, a certification unit 124, a document generation unit 126, and a filter setting unit 128.
The inspection unit 122 determines whether or not to accept the data received from the external device such as the user terminal 300 based on the first filter (described later). The certification unit 124 confirms the authenticity of the official document when making an inquiry from the outside. The document generation unit 126 generates official documents. The filter setting unit 128 sets the first filter according to the type of the official document.

FIG. 5 is a functional block diagram of the user terminal 300.
The user terminal 300 includes a user interface processing unit 302, a communication unit 304, a data processing unit 306, and a data storage unit 308. The user interface processing unit 302 is in charge of processing related to the user interface, such as image display and audio output, in addition to accepting operations from the user. The communication unit 304 is in charge of communication processing with the document generation device 100, the file server 104, etc. via the wireless communication network. The data storage unit 308 stores various information. The data processing unit 306 executes various processes based on the data acquired by the user interface processing unit 302 and the communication unit 304 and the data stored in the data storage unit 308. The data processing unit 306 also functions as an interface for the user interface processing unit 302, the communication unit 304, and the data storage unit 308.

The user interface processing unit 302 includes an input unit 310 and an output unit 312. The input unit 310 receives various operations from the user. The output unit 312 outputs various information by images, sounds, and the like.

The communication unit 304 includes a transmission unit 314 that transmits various information to an external device such as a document generation device 100, and a reception unit 316 that receives various information from the external device.

The data processing unit 306 includes a filter setting unit 318 and a data management unit 320. The filter setting unit 318 controls the outputable range of personal information stored in the data storage unit 308 by setting a second filter (described later). The data management unit 320 manages personal information in the data storage unit 308. The data management unit 320 also encrypts the data stored in the data storage unit 308 and decrypts the data read from the data storage unit 308.

FIG. 6 is a schematic diagram for explaining a method of aggregating personal information distributed in a plurality of file servers 104 in a user terminal 300.
The personal information of the user may be managed by the user terminal 300 or the like, or may be managed by the file server 104. The user can collect various personal information distributed in each file server 104 in the user terminal 300.

It is assumed that the file server 104a is operated by the public institution A and the file server 104b is operated by another public institution B. Since the public institutions A and B operate the file server 104a and the file server 104b, respectively, there is no uniformity in the data management methods of both.

Personal information about the user PX in the file server 104a is managed as a combination of "items" and "data". In the following, "data" shall mean a part of personal information associated with an item. Also, when it means a collection of data, it is called "personal information".

In the file server 104a, four types of data, "item TA: data D1", "item TB: data D2", "item TC: data D3", and "item TD: data D4", are managed together with the items. Items such as "name", "gender", "marriage history", "place of birth", "address", and "financial assets" are assumed.

Also in the file server 104b, personal information about the user PX is managed as a combination of items and data. In the file server 104b, four types of data, "item TA: data D1", "item TE: data D2", "item TC: data D3", and "item TF: data D5", are managed together with the items.

The user terminal 300 manages personal information by associating data with tags. The "tag" is a concept that defines the attributes of data, and the "item name" corresponds to the tag in the present embodiment. The transmission unit 314 of the user terminal 300 transmits a data acquisition request (download request) to the file server 104a, and the reception unit 316 downloads the personal information of the user PX from the file server 104a. For example, when the "item TA: data D1" is acquired, the data management unit 320 associates the "data D1" with the "tag TA" and registers them in the data storage unit 308. Hereinafter, the data D1 to which the tag TA is attached is referred to as “data D1 (TA)”.

Similarly, the user terminal 300 also downloads the personal information of the user PX from the file server 104b. "Item TA: Data D1" is duplicate data acquired from both the file server 104a and the file server 104b. In this case, the data management unit 320 registers only one data D1 (TA) in the data storage unit 308.

When the user terminal 300 receives the "item TB: data D2" from the file server 104a, the user terminal 300 associates the tag TB with the data D2 and saves it as the data D2 (TB). Subsequently, when the "item TE: data D2" is received from the file server 104b, the tag TE is also associated with the data D2. That is, the data management unit 320 registers the data D2 (TB, TE) in the data storage unit 308. For example, TB is an "address" and TE is a "place", and the file server 104a and the file server 104b may manage the same data D2 with different item names. In this case, the data management unit 320 associates a single data D2 with a TB tag (address) and a TE tag (location).

The "item TC: data D3" possessed by the file server 104a is also possessed by the file server 104b. The "item TD: data D4" possessed by the file server 104a is not possessed by the file server 104b, and the "item TF: data D5" possessed by the file server 104b is not possessed by the file server 104a. By accessing both the file server 104a and the file server 104b, the user terminal 300 can collect data managed only by the file server 104a and data managed only by the file server 104b in the user terminal 300.

[Second Embodiment]
In the second embodiment, personal information is selectively transmitted from the user terminal 300 equipped with the DI engine to the document generation device 100, and the document generation device 100 generates various official documents based on the received personal information. The official document is transmitted as electronic data from the document generator 100 to the user terminal 300.

FIG. 7 is a schematic diagram for explaining output control by the second filter 330.
The user terminal 300 controls the output range of personal information by the second filter 330. On the other hand, in the document generation device 100, the inputtable range of personal information is controlled by the first filter. The first filter will be described later in relation to FIG. In the second filter 330, a tag that permits data output (hereinafter, referred to as “permission tag”) and a tag that does not permit data output (hereinafter, referred to as “prohibited tag”) are set. In the second filter 330 shown in FIG. 7, there are four permission tags, TA, TC, TD, and TE, and two prohibition tags, TB and TF. The user PX designates the permission tag and the prohibition tag of the second filter 330 in the user terminal 300. The filter setting unit 318 sets the second filter 330 according to the designation from the user PX. The transmission unit 314 determines whether or not various data stored in the data storage unit 308 can be output according to the second filter 330.

Since the tag TA of the data D1 (TA) is a permission tag, the transmission unit 314 transmits the data D1 (TA) to an external device such as the document generation device 100. The tag TB of the data D2 (TB, TE) is a prohibited tag, but since the tag TE is a permission tag, the transmission unit 314 also permits transmission of the data D2 (TB, TE). As described above, when a plurality of tags are associated with one data, the transmission unit 314 permits transmission if any one of the plurality of tags is a permission tag.

Since the tag TC is a permission tag, the transmission unit 314 permits the transmission of data D3 (TC). Similarly, since the tag TD is also a permission tag, the transmission unit 314 also transmits the data D4 (TD). On the other hand, since the tag TF is a prohibited tag, the data D5 (TF) is not output from the user terminal 300 to the outside. In this way, by setting the second filter 330, the user PX can set "data that may be output to the outside" and "data that must not be output to the outside" among various personal information stored in the data storage unit 308. Can be controlled.

FIG. 8 is an example of the format of the official document 130 issued by the document generator 100.
As described above, the document generator 100 issues various official documents 130 such as a resident's card and a driver's license. The required data, its layout, design, and the like are predetermined for each official document 130. The official document 130 shown in FIG. 8 is a resident's card, and five types of entry fields 132 of various sizes are set. In the following, a scene in which the user PX receives the issuance of the official document 130 shown in FIG. 8 will be described.

Tags TA, TB, TC, TF, and TG are associated with each of the five types of entry fields 132. That is, in order to issue the official document 130, the user PX needs to provide the data associated with these tags to the document generation device 100.

When issuing the official document 130, the document generation unit 126 describes the issue date and time in the issue date column 136. Further, when issuing the official document 130, the document generation unit 126 generates a document ID for identifying the issued official document 130. The official document 130 also describes a two-dimensional code 134 including a document ID and an issue date and time. The document generation unit 126 may include the URI (Uniform Resource Identifier) of the document generation device 100 in the two-dimensional code 134.

FIG. 9 is a data structure diagram of the document definition table 140.
The document definition table 140 is stored in the data storage unit 114 of the document generation device 100. The document definition table 140 is a file that defines tags (items) required for each document type. The document type indicates the type of the official document 130. Personal information to be described differs depending on the document type. For example, the type and amount of data to be entered differs between a resident card and a book card.

The official document 130 of the document type F1 (hereinafter referred to as "official document 130 (F1)") requires data to which the tags TA, TB, TC, and TD are attached. The tags required by the official document 130 include "essential tags" and "arbitrary tags". Hereinafter, the data corresponding to the required tag is referred to as "essential data", and the data corresponding to the arbitrary tag is referred to as "arbitrary data". Further, tags that are not required for creating the official document 130 are called "unnecessary tags", and data corresponding to the unnecessary tags are called "unnecessary data".

The above-mentioned four tags TA, TB, TC, and TD are all essential tags for the official document 130 (F1). The document generation unit 126 can generate the official document 130 (F1) if the user PX provides the essential data corresponding to these four essential tags.

The required tags of the official document 130 (F3) are the tags TA, TE, TK, and the tag TH is an optional tag. The document generation unit 126 generates the official document 130 (F3) if the required data corresponding to the required tags TA, TE, and TK can be acquired. When the arbitrary data (TH) is also provided, the document generation unit 126 also describes the arbitrary data (TH) in the official document 130 (F3). When the arbitrary data (TH) cannot be acquired, the document generation unit 126 issues the official document 130 (F3) that does not include the arbitrary data (TH).

FIG. 10 is a data structure diagram of the issuance history information 150.
The issuance history information 150 is also stored in the data storage unit 114 of the document generation device 100. As described above, when the document generation unit 126 issues the official document 130 in response to a request from the user, the document generation unit 126 generates a document ID and records the issue date and time. The document generation unit 126 describes the two-dimensional code 134 including the document ID and the issue date and time in the official document 130, and also registers it in the issue history information 150. For example, the official document 130 with the document ID = K01 has a document type of "F1" and is issued at "14:35 on July 21, 2021". Hereinafter, the document ID and the issue date and time are collectively referred to as "issue information".

FIG. 11 is a schematic diagram for explaining the input control by the first filter 160.
As described above, the user terminal 300 controls the output range of personal information by the second filter 330. In the document generation device 100, the inputtable range of personal information is controlled by the first filter 160. That is, of the personal information stored in the user terminal 300, only the data whose output is permitted by the second filter 330 is transmitted to the document generation device 100, and among the data transmitted from the user terminal 300, the input is permitted by the first filter 160. Only the data to be processed is accepted as a processing target by the document generation device 100.

It is assumed that the user PX requests the document generator 100 to issue the official document 130 (F2). As shown in FIG. 9, the official document 130 (F2) has five types of essential tags TA, TB, TC, TF, and TG. The official document 130 (F2) corresponds to the official document 130 shown in FIG.

When the filter setting unit 128 of the document generation device 100 receives the issuance request of the official document 130 (F2) from the user terminal 300 of the user PX, the filter setting unit 128 sets the permission tag and the prohibition tag of the first filter 160 based on the document definition table 140. And set. Specifically, required tags and optional tags are set as permission tags, and unnecessary tags are set as prohibition tags. In the case of the official document 130 (F2), the tags TA, TB, TC, TF, and TG are permitted tags, and the tags TD and TE are prohibited tags.

Data D1 (TA), data D2 (TB, TE), data D3 (T3), and data D4 (TD) are transmitted from the user terminal 300 of the user PX to the document generator 100 through the second filter 330. (See also Figure 7).

The inspection unit 122 of the document generation device 100 determines whether or not to accept these four types of data based on the first filter 160. Since the tags TA, TB, and TC are permitted tags, the inspection unit 122 accepts data D1 (TA), data D2 (TB, TE), and data D3 (TC). The data D2 (TB, TE) is output based on the tag TE because the tag TB is a prohibited tag and the tag TE is a permitted tag in the second filter 330 at the time of output. On the other hand, since the tag TB is a permission tag and the tag TE is a prohibition tag in the first filter 160 at the time of input, the data D2 (TB, TE) is received based on the tag TB. Data having a plurality of tags in this way is likely to be output-permitted and input-permitted.

Since the tag TD is a prohibited tag, the inspection unit 122 does not accept the data D4 (TD). After receiving the data D4 (TD) once, the inspection unit 122 deletes the data D4 (TD) from the local memory. The inspection unit 122 does not leave the data D4 (TD) in the local storage. Therefore, unnecessary data does not remain in the document generator 100 when the official document 130 (F2) is generated. The user PX defines the range of personal information that can be output by the second filter 330, and the document generation device 100 ensures that unnecessary personal information is not acquired / stored from the user terminal 300 to the document generation device 100. The amount of information provided can be reduced to the minimum necessary.

The essential data D5 (TF) corresponding to the permission tag TF is stored in the user terminal 300 (see FIG. 7). Since the user PX has set the tag TF as a prohibited tag in the second filter 330, the required data D5 (TF) has not been transmitted to the document generator 100.

The required data corresponding to the permission tag TG is not stored in the user terminal 300. In order for the user PX to issue the official document 130 (F2), it is necessary to provide the document generation device 100 with essential data corresponding to the permission tags TF and TG. Hereinafter, tags corresponding to data that are necessary for generating the official document 130 but are not provided from the user terminal 300 are referred to as "insufficient tags". The data corresponding to the missing tag is called "missing data". That is, the missing data is the essential data that is not provided from the user terminal 300 to the document generation device 100. In the example of FIG. 11, the tags TF and TG are missing tags of the official document 130 (F2).

Details will be described later, but for the missing tag TF, the user PX needs to adjust the second filter 330 so that the required data D5 (TF) is output. Specifically, the user PX sets the missing tag TF as the permission tag. On the other hand, for the missing tag TG, the user PX needs to manually input the data (personal information) corresponding to the missing tag TG.

The filter setting unit 128 of the document generation device 100 also sets an arbitrary tag as a permission tag in the first filter 160. For example, in the case of the official document 130 (F3), the user sets the arbitrary tag TH as the permission tag of the first filter 160. Since the document generation unit 126 can generate the official document 130 (F3) even if the arbitrary data (TH) cannot be obtained, the arbitrary tag TH is not set as the missing tag in this case.

The terms related to tags and data are summarized below.
Required data: Data required to generate official document 130.
Arbitrary data: Data that can be described in the official document 130 but is not described in the official document 130 if it is not provided.
Unnecessary data: Data that is not used for official document 130.
Missing data: Of the required data of official document 130, data not provided by the user.
Mandatory tag: A tag corresponding to the required data.
Arbitrary tag: A tag corresponding to arbitrary data.
Unnecessary tag: A tag corresponding to unnecessary data.
Missing tag: A tag corresponding to the missing data.
Permission tag: A tag that is permitted to pass in the second filter 330 or the first filter 160. In the first filter 160, required tags and arbitrary tags are permitted tags.
Prohibition tag: A tag whose passage is prohibited in the second filter 330 or the first filter 160. In the first filter 160, unnecessary tags are prohibited tags.

The permission tag and prohibition tag of the second filter 330, and the permission tag and prohibition tag of the first filter 160 determine whether various data included in the personal information are accepted by the document generation device 100.
Less than,
Tag T1: It is a permission tag in both the second filter 330 and the first filter 160.
Tag T2: It is a permission tag in the second filter 330 and a prohibition tag in the first filter 160.
Tag T3: It is a prohibited tag in the second filter 330 and a permitted tag in the first filter 160.
Tag T4: It is a prohibited tag in the second filter 330 and a prohibited tag in the first filter 160.
And.
Data (T1): Passes through the second filter 330 and is transmitted from the user terminal 300 to the document generator 100. It also passes through the first filter 160 and is accepted as a processing target by the document generator 100.
Data (T2): Passes through the second filter 330 and is transmitted from the user terminal 300 to the document generator 100. Since it cannot pass through the first filter 160, even if it is once received by the document generator 100, it is immediately deleted from the local memory (received memory).
Data (T3): Since it cannot pass through the second filter 330, it is not output from the document generator 100.
Data (T4): Since it cannot pass through the second filter 330, it is not output from the document generator 100.
That is, only the data having the tag T1 is the processing target of the document generation device 100.

FIG. 12 is a flowchart showing the official document issuance process of the document generation device 100 in the second embodiment.
The user first sends an issuance request specifying the document type along with the user ID and password. At the same time as the issuance request, the user terminal 300 transmits a part of personal information to the document generation device 100 according to the second filter 330. The process shown in FIG. 12 is started after the issuance request and a part of personal information are received by the document generator 100.

The filter setting unit 128 of the document generation device 100 sets the first filter 160 according to the document type (S10). The inspection unit 122 inspects the various data received from the user terminal 300 for unnecessary data (S12). In the case of the example shown in FIG. 11, the data D4 (TD) is unnecessary data. If there is unnecessary data (Y in S12), the inspection unit 122 deletes the unnecessary data from the local memory (received memory) (S14). If there is no unnecessary data (N in S12), the processing in S14 is skipped.

Next, the inspection unit 122 inspects for missing data (S16). When there is missing data (N in S16), the notification unit 120 notifies the user terminal 300 of the missing tag (S24). Upon receiving the notification of the missing tag, the user terminal 300 needs to transmit the data corresponding to the missing tag to the document generation device 100 again. The method of dealing with the missing tag notification of the user terminal 300 will be described later.

When there is no missing data (Y in S16), that is, when all the essential data of the official document 130 are prepared, the document generation unit 126 generates the official document 130 (S18). Specifically, the document generation unit 126 fills in the required data or arbitrary data received from the user PX in the entry field 132 of the official document 130, and adds the two-dimensional code 134 and the issue date column 136 to the official document 130. To generate. The document generation unit 126 registers the issue information (document ID and issue date and time) in the issue history information 150 (S20).

The transmission unit 118 transmits the generated official document 130 to the user terminal 300 as electronic data, for example, a PDF (Portable Document Format) file (S22). The document generation unit 126 may arrange to print the official document 130 with an attached printer and mail it to the address of the user PX.

As described above, the document generation device 100 acquires personal information to the extent necessary for creating the official document 130, and generates the official document 130 by describing essential data or arbitrary data in the entry field 132. Further, after the official document 130 is created, the inspection unit 122 deletes all the data received from the user terminal 300 from the local memory and the local storage. Similarly, after the official document 130 is transmitted, the document generation unit 126 also deletes the official document 130 itself from the local memory and the local storage. According to such a control method, the document generation device 100 acquires personal information only when the official document 130 is generated, and does not store the personal information thereafter, so that the personal information of the user PX leaks from the document generation device 100. Risk can be minimized.

FIG. 13 is a flowchart showing a processing process when the user terminal 300 is notified of the missing tag.
When the missing tag exists, that is, when the required data of the official document 130 is missing, the notification unit 120 of the document generation device 100 notifies the user terminal 300 of the missing tag. Here, it is assumed that the tags TF and TG are notified as insufficient tags according to the example of FIG.

When the insufficient data, that is, the unprovided essential data is stored in the data storage unit 308 of the user terminal 300 (Y in S30), the user PX adjusts the second filter 330 (S32). For example, since the missing data D5 (TF) exists in the data storage unit 308 (see FIG. 7), the user PX may change the setting of the tag TF to the permission tag in the second filter 330. When the missing data is not stored in the data storage unit 308 (N in S30), the processing in S32 is skipped.

If unoutput shortage data remains even after the adjustment of the first filter 160 (Y in S34), in other words, if there is unreachable shortage data, the user PX inputs new data (S36). .. At this time, the output unit 312 of the user terminal 300 causes the user to input data corresponding to the tag TG from the data replenishment screen 340 described later. Alternatively, the output unit 312 may display "Please input the data corresponding to the tag TG" and display the data input screen. If the tag TG is, for example, "date of birth", the output unit 312 may display a data input screen for inputting the date of birth. Since the data corresponding to the missing tag TG does not exist in the data storage unit 308, the user PX inputs the data DX corresponding to the missing tag TG into the user terminal 300 (S36). The input unit 310 of the user terminal 300 accepts the input of the data DX. Further, the data management unit 320 of the user terminal 300 associates the tag TG with the newly input data DX and registers it as the data DX (TG) in the data storage unit 308 (S38). If there is no missing data (N in S34), the processes of S36 and S38 are skipped.

After all the missing data in the official document 130 is replenished, the transmission unit 314 additionally transmits the missing data to the document generation device 100 (S40). When the missing tags are tags TF and TG, the transmission unit 314 transmits data D5 (TF) and data DX (TG). Through the above processing process, the document generation device 100 acquires the essential data of the official document 130.

It is assumed that the data DX (TI) is registered in the data storage unit 308. Here, when the user X inputs the data DX corresponding to the missing tag (TG), the data management unit 320 newly associates the tag TG with the data DX already associated with the tag TI. After inputting the data DX, the data DX is managed as data X (TG, TI) corresponding to both the tags TG and TI.

FIG. 14 is a screen view of the data replenishment screen 340.
When the document generator 100 notifies the missing tag, the output unit 312 of the user terminal 300 displays the data replenishment screen 340. Here, it is assumed that the missing tags TF and TG are notified. The output unit 312 displays the filter adjustment button 342 next to the missing tag TF and the data input button 344 next to the missing tag TG.

More specifically, when the missing data (TF) exists in the data storage unit 308, the output unit 312 displays the filter adjustment button 342 for adjusting the second filter 330 at the position corresponding to the tag TF. When the user PX touches the filter adjustment button 342, the filter setting unit 318 changes the tag TF from the prohibited tag to the permitted tag in the second filter 330 (S32 in FIG. 13). By changing the setting of the second filter 330, the missing data D5 (TF) can be transmitted to the document generator 100.

When the insufficient data (TG) does not exist in the data storage unit 308, the output unit 312 displays the data input button 344 for data input at the position corresponding to the tag TG. When the user touches the data input button 344, the output unit 312 displays a data input screen (not shown). When the user inputs the data DX on this data input screen, the data management unit 320 associates the data DX with the tag TG and registers the data DX in the data storage unit 308. Further, the missing data DX (TG) can be transmitted to the document generation device 100.

FIG. 15 is a sequence diagram showing a processing process at the time of authenticity confirmation of the official document 130.
Here, a scene in which the user PY presented with the official document 130X by the user PX confirms the authenticity of the official document 130X will be described. The user PY reads the two-dimensional code 134 of the official document 130X using his / her own user terminal 300 (S50). The transmission unit 314 of the user terminal 300 transmits the issuance information (document ID and issuance date / time) included in the two-dimensional code 134 to the document generation device 100 (S52).

The certification unit 124 of the document generation device 100 determines that the official document 130X is genuine if the received issuance information is registered in the issuance history information 150. On the other hand, if it is not registered in the issuance history information 150, the certification unit 124 determines that the official document 130 is a forged document not issued by the document generation device 100 (S54). The transmission unit 118 transmits the determination result to the user terminal 300 (S56).

The user PY presented with the official document 130X by the user PX can easily confirm the authenticity of the official document 130X by inquiring to the document generator 100 based on the issuance information included in the two-dimensional code 134.

[Third Embodiment]
In the third embodiment, personal information is selectively transmitted from the user badge 350 to the document generation device 100 via the relay terminal 400, and the document generation device 100 generates various official documents 130 based on the received personal information. do. The official document 130 is transmitted as electronic data from the document generator 100 to the relay terminal 400.

In the third embodiment, personal information is recorded on the user badge 350. Although the user badge 350 is equipped with a DI engine, it differs from the user terminal 300 in that it does not have a user interface function and an Internet connection function. The user badge 350 includes personal information and a second filter 330. The user badge 350 can transmit and receive data by short-range wireless communication such as NFC (Near Field Communication) and Bluetooth (registered trademark) without going through the Internet 102.

The user PX can also copy the personal information and the second filter 330 from the user terminal 300 to the user badge 350. For example, if the badge ID of the user badge 350 is registered in the user terminal 300, the transmission unit 314 of the user terminal 300 can write the personal information and the second filter 330 only to the registered user badge 350. ..

The user badge 350 is a badge-type information carrier. The information carrier may also be a card type. Various accessories such as rings, wristbands, and glasses may be provided with a function as an information carrier (DI engine).

FIG. 16 is a hardware configuration diagram of the document generation system 210 according to the third embodiment.
In the document generation system 210, the document generation device 100 and the relay terminal 400 are connected by wire or wirelessly. Since the user badge 350 does not have a communication function via the Internet 102, in the third embodiment, the user badge 350 transmits data to the document generation device 100 via the relay terminal 400.

The relay terminal 400 is installed in a general store. A printer 406 is connected to the relay terminal 400. The relay terminal 400 includes a monitor 402 with a touch panel and a reader / writer 404 capable of reading and writing data by short-range wireless communication. The user PX causes the relay terminal 400 to read personal information by holding the user badge 350 over the reader / writer 404. The relay terminal 400 transmits the personal information read from the user badge 350 to the document generation device 100, and the document generation device 100 generates the official document 130 and transmits the electronic data to the relay terminal 400. The relay terminal 400 prints the official document 130 from the printer 406.

FIG. 17 is a functional block diagram of the relay terminal 400.
The relay terminal 400 includes a user interface processing unit 410, a communication unit 412, a reader / writer processing unit 414, a data processing unit 416, and a data storage unit 418. The user interface processing unit 410 accepts operations from the user and is in charge of processing related to the user interface such as image display and audio output. The communication unit 412 is in charge of communication processing with the document generation device 100 via a wireless communication network. The reader / writer processing unit 414 sends / receives data to / from the user badge 350 by the reader / writer 404. The data storage unit 418 stores various information. The data processing unit 416 executes various processes based on the data acquired by the user interface processing unit 410, the communication unit 412, and the reader / writer processing unit 414 and the data stored in the data storage unit 418. The data processing unit 416 also functions as an interface for the user interface processing unit 410, the communication unit 412, the reader / writer processing unit 414, and the data storage unit 418.

The user interface processing unit 410 includes an input unit 420 and an output unit 422. The input unit 420 receives various operations from the user via the touch panel. The output unit 422 outputs various information by images, sounds, and the like.

The communication unit 412 includes a reception unit 424 for transmitting various information to the document generation device 100 and a transmission unit 426 for receiving various information from the document generation device 100. The transmission unit 426 receives the first filter 160 from the document generation device 100.

The reader / writer processing unit 414 includes a data acquisition unit 428 that reads data from the user badge 350 and a data writing unit 430 that writes data to the user badge 350.

The data processing unit 416 includes an inspection unit 432, a filter setting unit 434, a data registration unit 436, and a print control unit 438.
The inspection unit 432 selects the data to be transmitted to the document generation device 100 from the data acquired from the user badge 350 based on the first filter 160. The filter setting unit 434 sets the first filter 160 received from the document generation device 100. Further, the filter setting unit 434 can also change the setting of the permission tag and the prohibition tag of the second filter 330 according to the instruction from the user. The data registration unit 436 registers the data in the user badge 350. The print control unit 438 controls the printer 406.

The DI engine of the user badge 350 encrypts the written data and stores it in the built-in local storage, and when the data is output from the local storage, the encrypted data is decrypted.

FIG. 18 is a schematic diagram for explaining the input / output control of personal information in the third embodiment.
The user badge 350 stores various personal information and the second filter 330. As in FIG. 6, it is assumed that the user badge 350 contains data D1 (TA), data D2 (TB, TE), data D3 (TC), data D4 (TD), and data D5 (TF). Further, as in FIG. 7, in the second filter 330, the tags TA, TC, TD, and TE are permitted tags, and the tags TB and TF are prohibited tags.

Data D1 (TA), data D2 (TB, TE), data D3 (TC), and data D4 (TD) are output from the user badge 350 by the second filter 330, but data D5 (TF) is not output. .. As described above, the DI engine of the user badge 350 executes the decoding process at the time of data output.

User X inputs a user ID, a password, and a document type (eg, resident's card) of the official document 130 to be issued on the monitor 402. The transmission unit 426 of the relay terminal 400 notifies the document generation device 100 of the document type. The filter setting unit 128 of the document generation device 100 sets the first filter 160 corresponding to the document type, and transmits the first filter 160 to the relay terminal 400. Here, it is assumed that the document type (F2) is specified and the first filter 160 shown in FIG. 11 is transmitted. That is, in the first filter 160, the tags TA, TB, TC, TF, and TG are set as permitted tags, and the tags TD and TE are set as prohibited tags.

The filter setting unit 434 of the relay terminal 400 sets the first filter 160 received from the document generation device 100. The inspection unit 432 determines whether or not the data output from the user badge 350 can be accepted according to the first filter 160.

The filter setting unit 434 accepts data D1 (TA), data D2 (TB, TE), and data D3 (TC) according to the first filter 160, but rejects data D4 (TD). The filter setting unit 434 deletes the once received data D4 (TD) from the local memory.

The inspection unit 432 refers to the first filter 160 and the received data, and identifies the missing tags TF and TG. At this time, the output unit 422 causes the monitor 402 to display a screen similar to the data replenishment screen 340 shown in FIG. The user PX can set the tag TF as the permission tag of the second filter 330 by touching the filter adjustment button 342. At this time, the filter setting unit 434 changes the setting of the second filter 330 of the user badge 350 via the data writing unit 430, and the data acquisition unit 428 acquires the insufficient data D5 (TF) from the user badge 350. The transmission unit 426 transmits the missing data D5 (TF) to the document generation device 100.

The user PX can input the data DX corresponding to the tag TG by touching the data input button 344. The transmission unit 426 transmits the missing data DX (TG) to the document generation device 100. Further, the data registration unit 436 writes the data DX (TG) to the user badge 350 via the data writing unit 430.

Note that the user PX may be able to specify whether the tag TG is a permission tag or a prohibition tag in the second filter 330 when writing the data DX (TG) to the user badge 350. The filter setting unit 318 adds a setting for the tag TG of the second filter 330 according to the instruction from the user PX.

FIG. 19 is a flowchart showing a process of issuing an official document of the relay terminal 400 in the third embodiment.
First, the user inputs an issuance request specifying the document type together with the user ID and password to the relay terminal 400. The relay terminal 400 notifies the document generation device 100 of the document type, and the filter setting unit 128 of the document generation device 100 transmits the first filter 160 corresponding to the document type to the relay terminal 400. Further, the document generation device 100 also notifies which of the required tag and the arbitrary tag is for each of the permission tags of the first filter 160. After the above preparations are completed, the process shown in FIG. 19 is started.

The filter setting unit 434 of the relay terminal 400 sets the first filter 160 (S60). The inspection unit 432 inspects the various data received from the user badge 350 for unnecessary data, that is, data associated with the prohibited tag of the first filter 160 (S62). If there is unnecessary data (Y in S12), the inspection unit 432 deletes the unnecessary data from the local memory (S64). If there is no unnecessary data (N in S62), the processing in S64 is skipped.

Next, the inspection unit 432 inspects whether there is a shortage of missing data, that is, data corresponding to the required tag (S66). If there is no shortage of required data (Y in S66), the transmission unit 426 transmits all the essential data required for creating the official document 130 among the data received from the user badge 350 to the document generator 100 (S68). When the arbitrary data is also acquired, the transmission unit 426 also transmits the arbitrary data to the document generation device 100.

The document generation unit 126 of the document generation device 100 creates the official document 130, and the transmission unit 118 of the document generation device 100 transmits the official document 130 (electronic data) to the relay terminal 400. The receiving unit 424 of the relay terminal 400 receives the official document 130 (S70). The print control unit 438 controls the printer 406 to print the official document 130 (S72). With such a control method, the user PX can receive the desired official document 130 at the store simply by holding the user badge 350 over the reader / writer 404 of the relay terminal 400.

On the other hand, if there is a shortage of required data (N in S66), the output unit 422 prompts the supplementation of the missing data (S74). As described above, the user PX supplements the missing data by adjusting the second filter 330 or inputting new data.

[Summary]
The

document generation systems

200 and 210 have been described above based on the embodiments.
The user can collect personal information on the user terminal 300 by accessing the plurality of file servers 104. Since the personal information distributed in various file servers 104 is collected in the user terminal 300, the registration burden is significantly reduced as compared with manually registering the personal information in the user terminal 300.

As described in relation to FIG. 6, the same data D2 may be handled by different item names in the file server 104a and the file server 104b. In this case, since the user terminal 300 associates the data D2 with two item names as tags TB and TE, the data D2 can easily correspond to the passage inspection based on various first filters 160 and second filters 330.

For example, the user wants to allow the output of information about his / her place of residence. In this case, the user may set the tag TB (address) as the permission tag of the second filter 330, or may set the tag TE (location) as the permission tag. If the tag TB associated with "information about the place of residence" is used as the permission tag, the user does not need to set the tag TE (location) as the permission tag again. Therefore, even if a large number of tags with similar names are generated, the user can effectively use the related tags as permission tags by simply selecting one tag as the permission tag, so even if the tags are diversified. It will be easier to manage.

Assuming a large number of document generation devices 100 operated by various organizations, the name of the permission tag is not always unified by the document generation device 100. For example, the document generator 100a may be associated with a tag TB (address) for "information about a place of residence", and the document generator 100b may be associated with a tag TE (location) for "information about a place of residence". In this case, by associating a plurality of tags with one data as described above, it is possible to give flexibility to data management.

The user can define the range of personal information that may be output to the outside by setting the second filter 330. Since the method is to store personal information in the user terminal 300 or the user badge 350 indefinitely and then set the output range of the personal information, the personal information is collected in the user terminal 300 or the like, but excessive information leakage is caused. It can be controlled so that it does not exist.

The user can receive the official document issuing service by the document generation device 100 anytime and anywhere by accessing the document generation device 100 from the user terminal 300 or by holding the user badge 350 over the relay terminal 400. In other words, users can have their ID verified by a public institution 24 hours a day, 7 days a week.

The document generation device 100 sets the first filter 160 for each document type of the official document 130. Since the document generation device 100 or the relay terminal 400 deletes data unnecessary for creating the official document 130 from the local memory and the local storage, the document generation device 100 and the like do not collect unnecessary data. Further, the document generation device 100 or the like can perform more strict information management by deleting all the received personal information from the local memory or the local storage after the publication of the official document 130.

When the data necessary for creating the official document 130 is not prepared by the double filter of the first filter 160 and the second filter 330, the user can additionally supplement the missing data by adjusting the second filter 330. In other words, the user can additionally transmit data to the document generator 100 within the minimum necessary range simply by adjusting the second filter 330 according to the missing tag. Further, when the user inputs new data corresponding to the missing tag, the missing tag and the new data are registered in association with each other in the user terminal 300 or the user badge 350.

Every time the user inputs new data according to the missing tag, the personal information will be further enriched, and it will not be necessary to input the same data from the next time, so convenience will be improved. Further, when the newly input data DX is already associated with another tag T1, the missing tag T2 is additionally associated with the data DX. As a result, from the next time onward, both the tags T1 and T2 can be handled by the same data DX, so that the applicable range of the data DX is expanded. In this way, by using the document issuing service of the document generation device 100, the flexibility of data management is increased.

When the document generation device 100 issues the official document 130, the document generation device 100 registers the issue information in the issue history information 150. Therefore, the user can immediately confirm whether the official document 130 is a true document or a forged document by reading the two-dimensional code 134 of the official document 130 and inquiring to the document generator 100.

The user can move or duplicate the personal information of the user terminal 300 to the user badge 350 together with the second filter 330. The user can easily receive the identification service by carrying the user badge 350, which is lighter and easier to carry than the user terminal 300. The DI engine of the user badge 350 encrypts and stores personal information in case the user badge 350 is lost. The relay terminal 400 may refuse to accept the data from the reader / writer 404 when the personal authentication by the user ID and the password is not successful.

The present invention is not limited to the above-described embodiment or modification, and the components can be modified and embodied within a range that does not deviate from the gist. Various inventions may be formed by appropriately combining a plurality of components disclosed in the above-described embodiments and modifications. In addition, some components may be deleted from all the components shown in the above embodiments and modifications.

[Modification example]
In the present embodiment, the document generation device 100 is operated by a public institution, and the user receives a service of issuing an official document 130 such as a resident's card from the document generation device 100. The document generation device 100 may issue various documents other than the official document 130. For example, the documents to be issued may be a company point card, a baggage address sheet, a New Year's card, an investment report, a work report, a receipt, a medical chart, a slip, or the like. Further, the "document" generated by the document generation device 100 may be electronic data including information in a format other than text such as a still image, a moving image file, and an audio file.

The document generator 100 does not need to acquire all the data necessary for creating a document from the user. A part of the required data or arbitrary data included in the document may be data stored in advance in the document generation device 100, or may be acquired by the document generation device 100 from another file server 104.

The document generator 100 or the relay terminal 400 may present the first filter 160 to the user. For example, the transmission unit 118 of the document generation device 100 may transmit the first filter 160 to the user terminal 300 or the relay terminal 400 to display a list of permission tags set in the first filter 160. The user may refer to the first filter 160 (list of permission tags) and confirm the required tags and arbitrary tags for each document before creating the document.

There may be a plurality of second filters 330. The user may appropriately select one of the second filters 330 from the plurality of second filters 330. For example, the user may select the second filter 330 according to the data output destination.

The user may combine a plurality of second filters 330 according to the data output destination. For example, the user may use the second filter 330A for the data output destination Y1, and the user may use the second filter 330A and the second filter 330B for the data output destination Y2. good. In this case, the transmission unit 314 of the user terminal 300 may output only the data set as the permission tag in both the second filter 330A and the second filter 330B. According to such a control method, the strength of the output range limitation of personal information can be controlled by the number of used sheets of the second filter 330 according to the output destination.

In the present embodiment, the two-dimensional code 134 has been described as including the document ID and the issue date and time as the issue information. As a modification, the two-dimensional code 134 may include the document ID and the hash value of the issue date and time. By using a hash value, the document ID and the like cannot be read directly from the two-dimensional code 134, so that it becomes more difficult to forge a document by falsifying the two-dimensional code 134. Further, the issue information is not limited to the document ID and the issue date and time, and may include various information. For example, the user ID of the user who requested the issuance of the official document 130, the device ID of the document generation device 100 that issued the official document 130, and the like may be included in a part of the issuance information.

The file server 104 causes the user terminals 300 of a large number of users to download personal information. The file server 104 may delete the personal information downloaded to the user terminal 300 from the local storage. For example, when personal information (PX) is downloaded from the file server 104a by the user PX, the data management unit (not shown) of the file server 104a deletes the personal information (PX) from the local storage after a certain period of time. May be good. According to such a control method, the transfer of data from the file server 104 to the user terminal 300 is gradually promoted. As the download by the user progresses, the data to be managed by the file server 104 decreases. Therefore, after downloading the personal information from the file server 104 to the user terminal 300, the user does not have to worry about the leakage of the personal information from the file server 104.

In the present embodiment, it has been described that when the arbitrary data is not input, the document generator 100 generates the official document 130 that does not include the arbitrary data. As a modification, when the arbitrary data is not received, the inspection unit 122 may notify the arbitrary tag as a missing tag. After receiving the notification, the user inputs arbitrary data in the user terminal 300 or the relay terminal 400. When the user inputs arbitrary data, the document generation device 100 generates an official document 130 including the arbitrary data. On the other hand, when the user refuses to input arbitrary data, the document generation device 100 may generate an official document 130 that does not include arbitrary data.

Although it has been described that the second filter 330 is registered in the user badge 350, the relay terminal 400 may read the second filter 330 from the user badge 350. That is, the relay terminal 400 acquires the first filter 160 and the second filter 330, and the inspection unit 432 is a document generation device among the personal information in the user badge 350 based on both the first filter 160 and the second filter 330. Personal information that can be provided to 100 may be selected.

In the present embodiment, it has been described that the user confirms the identity by accessing the document generator 100 with the user ID and password. In addition to this, the document generator 100 may verify the identity of the user by eKYC (electronicKnowYourCustomer) authentication.

Claims

A receiver that receives tagged data from an external terminal,
An inspection unit that refers to a first filter indicating tags required for a document of a predetermined format, and determines whether or not the tag attached to the received data conforms to the first filter.
A document generator comprising a document generator that generates a document based on data conforming to the first filter.
The document generation device according to claim 1, wherein the inspection unit deletes data that does not conform to the first filter from the local memory.
When the data associated with some of the tags among the plurality of tags included in the first filter is insufficient, a notification unit for notifying the missing tag, which is a tag of the missing data, is further provided.
The document generation device according to claim 1, wherein the document generation unit generates a document including the received data when data corresponding to the missing tag is newly received.
When a plurality of tags are attached to the received data, the inspection unit determines whether or not any of the plurality of tags matches the tag included in the first filter.
The document generation device according to claim 1, wherein the document generation unit generates a document including the received data when any of the plurality of tags matches the first filter.
The external terminal is further provided with a transmission unit for transmitting the file data of the generated document.
The document generation device according to claim 1, wherein the document generation unit generates an official document based on data provided from the external terminal.
Further equipped with a proof unit to confirm the authenticity of the document,
The document generation unit assigns a document ID and an issue date and time to a document at the time of document generation, and registers the document ID and the issue date and time in association with each other as issuance history information.
When a confirmation request including a document ID and an issue date / time is made from the external terminal, the certification unit sends the document ID and the issue date / time included in the confirmation request to the external terminal when the document ID and the issue date / time are registered in the issue history information. The document generator according to claim 1, which notifies the document that the document is authentic.
Connected to the document generator according to claim 3,
A data storage unit that stores data and tags in association with each other,
A filter setting unit that sets a second filter that indicates tags of data that can be sent to the outside according to input from the user,
A transmission unit that refers to the second filter, selects data tagged with the tag included in the second filter, and transmits the data to the document generator.
When the missing tag is reset to the second filter after the missing tag is notified from the document generating device, the transmitting unit transmits data corresponding to the missing tag to the document generating device. Terminal.
An input unit that accepts data input and
A data management unit that manages data and tags in the data storage unit is further provided.
When new data is input in response to the notification of the missing tag from the document generating device, the transmitting unit attaches the missing tag to the input data and transmits the data to the document generating device.
The communication terminal according to claim 7, wherein the data management unit associates the input data with the missing tag and stores the data in the data storage unit.
When the first tag is already attached to the same data as the input data, the data management unit additionally associates the missing tag with the data as a second tag. The communication terminal according to claim 8.
A receiver that receives tagged data from each of multiple servers,
It is equipped with a data management unit that associates the received data with the tag and stores it in the built-in storage device.
When the data management unit receives the first data tagged with the first tag from the first server and receives the first data tagged with the second tag from the second server. , A communication terminal that stores the first tag and the second tag in association with the first data.
A filter setting unit that sets a second filter that indicates tags of data that can be sent to the outside according to input from the user,
A transmission unit that refers to the second filter, selects data tagged with the tag included in the second filter, and transmits the data to an external device is further provided.
When either the first tag or the second tag associated with the first data is set in the second filter, the transmission unit makes the first data a transmission target. , The communication terminal according to claim 10.
Connected to the document generator according to claim 3,
An input unit that accepts data input from the user,
A receiving unit that receives the first filter from the document generator,
A data acquisition unit that reads tagged data from an information carrier owned by the user,
An inspection unit that determines whether or not the tag attached to the read data matches the first filter, and
A transmission unit that selects data that matches the first filter from the read data and transmits the data to the document generator is provided.
When the data corresponding to the shortage tag is input after the document generation device notifies the shortage tag, the transmission unit additionally transmits the data corresponding to the shortage tag to the document generation device. Relay terminal.
A data registration unit for writing data to the information carrier is further provided.
The relay terminal according to claim 12, wherein the data registration unit writes the input data together with the missing tag in the information carrier when data is input corresponding to the missing tag.
A second filter indicating a tag of data that can be output to the outside is registered in the information carrier in advance.
The relay terminal according to claim 12, further comprising a filter setting unit for changing the setting of the second filter of the information carrier according to an input from a user.
Including communication terminal and document generator
The communication terminal is
A data storage unit that stores data and tags in association with each other,
A filter setting unit that sets a second filter that indicates tags of data that can be sent to the outside according to input from the user,
A transmission unit that refers to the second filter, selects data tagged with the tag included in the second filter when the document generator is accessed, and transmits the data to the document generator.
The document generator is
A receiving unit that receives tagged data from the communication terminal, and
An inspection unit that refers to a first filter indicating tags required for a document of a predetermined format, and determines whether or not the tag attached to the received data conforms to the first filter.
A document generator that generates a document based on data that matches the first filter,
Among the plurality of tags included in the first filter, when the data associated with some tags is insufficient, a notification unit for notifying the missing tag is provided.
When the shortage tag is reset to the second filter after the document generation device notifies the shortage tag, the transmission unit of the communication terminal transfers the data corresponding to the shortage tag to the document generation device. Send and
The document generation unit of the document generation device is a document generation system that generates a document including the received data when data corresponding to the missing tag is received.
A function to receive tagged data from an external terminal,
A function of referring to a first filter indicating tags required for a document of a predetermined format and determining whether or not the tag attached to the received data conforms to the first filter.
A program that allows a computer to exert a function of generating a document based on data conforming to the first filter.
A function to store data and tags in association with each other,
A function to set a second filter that indicates tags of data that can be sent to the outside according to input from the user, and
A function of referring to the second filter, selecting data tagged with the tag included in the second filter, and transmitting the data to the document generator.
When the missing tag is reset to the second filter after the missing tag is notified from the document generator, the computer exhibits a function of transmitting data corresponding to the missing tag to the document generator. Program to let you.
A function to receive tagged data from each of multiple servers, and
The function of associating the received data with the tag and saving it in the built-in storage device,
When the first data with the first tag is received from the first server and the first data with the second tag is received from the second server, the first data is said. A program that causes a computer to exert a function of associating and saving the first tag and the second tag with respect to the above.
A function that accepts data input from the user,
The function of receiving the first filter from the document generator and
A function to read tagged data from an information carrier owned by the user,
A function for determining whether or not the tag attached to the read data matches the first filter, and
A function of selecting data that matches the first filter from the read data and transmitting it to the document generator.
When data corresponding to the missing tag is input after being notified of the missing tag by the document generator, a function of additionally transmitting data corresponding to the missing tag to the document generator is provided to the computer. A program to demonstrate.